Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-09-2021 07:12

General

  • Target

    1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe

  • Size

    460KB

  • MD5

    3b6f38ea6928bca0be7ce6cf39ec8959

  • SHA1

    5ea0766825327580776bc88add0e9267d97965e5

  • SHA256

    1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79

  • SHA512

    d8355e551f8cfab86523036a69407a86723add802a361eeaf54c65301ed5c4b88713aada239e6e41ac9b326e74f8652488498126d6883b58c5425f0f50543ec0

Score
6/10

Malware Config

Signatures

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
    "C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3272
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3156
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2508
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3996
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:360
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection -ComputerName google.com
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2104
    • C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
      C:\Users\Admin\AppData\Local\Temp\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe
      2⤵
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2860

Network

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

System Information Discovery

1
T1082

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\1a3b100043d6e616674e8ccf0bd086eacccb6985aa8182029a2717aa57be5f79.exe.log
    MD5

    4a30a8132195c1aa1a62b78676b178d9

    SHA1

    506e6d99a2ba08c9d3553af30daaaa0fc46ae4be

    SHA256

    71636c227625058652c089035480b7bb3e5795f3998bc9823c401029fc844a20

    SHA512

    3272b5129525c2b8f7efb99f5a2115cf2572480ff6938ca80e63f02c52588216f861307b9ef962ba015787cae0d5a95e74ebb5fe4b35b34f1c4f3a7deac8ce09

  • memory/360-211-0x0000000000000000-mapping.dmp
  • memory/360-223-0x0000000007382000-0x0000000007383000-memory.dmp
    Filesize

    4KB

  • memory/360-222-0x0000000007380000-0x0000000007381000-memory.dmp
    Filesize

    4KB

  • memory/1292-157-0x0000000004AA2000-0x0000000004AA3000-memory.dmp
    Filesize

    4KB

  • memory/1292-147-0x0000000000000000-mapping.dmp
  • memory/1292-156-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
    Filesize

    4KB

  • memory/1436-245-0x0000000000000000-mapping.dmp
  • memory/1436-258-0x0000000007302000-0x0000000007303000-memory.dmp
    Filesize

    4KB

  • memory/1436-256-0x0000000007300000-0x0000000007301000-memory.dmp
    Filesize

    4KB

  • memory/1844-229-0x0000000000000000-mapping.dmp
  • memory/1844-240-0x00000000070C0000-0x00000000070C1000-memory.dmp
    Filesize

    4KB

  • memory/1844-241-0x00000000070C2000-0x00000000070C3000-memory.dmp
    Filesize

    4KB

  • memory/2104-261-0x0000000000000000-mapping.dmp
  • memory/2104-273-0x0000000006920000-0x0000000006921000-memory.dmp
    Filesize

    4KB

  • memory/2104-274-0x0000000006922000-0x0000000006923000-memory.dmp
    Filesize

    4KB

  • memory/2508-172-0x0000000007380000-0x0000000007381000-memory.dmp
    Filesize

    4KB

  • memory/2508-173-0x0000000007382000-0x0000000007383000-memory.dmp
    Filesize

    4KB

  • memory/2508-163-0x0000000000000000-mapping.dmp
  • memory/2860-286-0x000000000040C26E-mapping.dmp
  • memory/2860-293-0x00000000053C0000-0x00000000053C1000-memory.dmp
    Filesize

    4KB

  • memory/3128-119-0x0000000004CF0000-0x00000000051EE000-memory.dmp
    Filesize

    5.0MB

  • memory/3128-117-0x0000000004C30000-0x0000000004C31000-memory.dmp
    Filesize

    4KB

  • memory/3128-114-0x0000000000370000-0x0000000000371000-memory.dmp
    Filesize

    4KB

  • memory/3128-116-0x00000000051F0000-0x00000000051F1000-memory.dmp
    Filesize

    4KB

  • memory/3128-118-0x0000000004C10000-0x0000000004C11000-memory.dmp
    Filesize

    4KB

  • memory/3156-140-0x0000000002A70000-0x0000000002A71000-memory.dmp
    Filesize

    4KB

  • memory/3156-141-0x0000000002A72000-0x0000000002A73000-memory.dmp
    Filesize

    4KB

  • memory/3156-131-0x0000000000000000-mapping.dmp
  • memory/3156-142-0x0000000007880000-0x0000000007881000-memory.dmp
    Filesize

    4KB

  • memory/3156-143-0x00000000078D0000-0x00000000078D1000-memory.dmp
    Filesize

    4KB

  • memory/3156-144-0x0000000007B50000-0x0000000007B51000-memory.dmp
    Filesize

    4KB

  • memory/3272-129-0x0000000007C80000-0x0000000007C81000-memory.dmp
    Filesize

    4KB

  • memory/3272-128-0x00000000073A0000-0x00000000073A1000-memory.dmp
    Filesize

    4KB

  • memory/3272-123-0x0000000004870000-0x0000000004871000-memory.dmp
    Filesize

    4KB

  • memory/3272-125-0x0000000006E30000-0x0000000006E31000-memory.dmp
    Filesize

    4KB

  • memory/3272-126-0x0000000006E32000-0x0000000006E33000-memory.dmp
    Filesize

    4KB

  • memory/3272-127-0x0000000007300000-0x0000000007301000-memory.dmp
    Filesize

    4KB

  • memory/3272-124-0x0000000007470000-0x0000000007471000-memory.dmp
    Filesize

    4KB

  • memory/3272-130-0x0000000007CF0000-0x0000000007CF1000-memory.dmp
    Filesize

    4KB

  • memory/3272-120-0x0000000000000000-mapping.dmp
  • memory/3680-191-0x0000000006F92000-0x0000000006F93000-memory.dmp
    Filesize

    4KB

  • memory/3680-189-0x0000000006F90000-0x0000000006F91000-memory.dmp
    Filesize

    4KB

  • memory/3680-179-0x0000000000000000-mapping.dmp
  • memory/3996-206-0x0000000007160000-0x0000000007161000-memory.dmp
    Filesize

    4KB

  • memory/3996-195-0x0000000000000000-mapping.dmp
  • memory/3996-207-0x0000000007162000-0x0000000007163000-memory.dmp
    Filesize

    4KB